Over the past decade, there has been a surge in the adoption of smart products, particularly in peoples' homes. From smart appliances, such as speakers featuring virtual assistant technology, Wi-Fi connected fridges and interconnected air fryers, through to wellbeing products such as smart scales and fitness watches, through to security devices such as smart doorbells, these products are important parts of our everyday lives which we interact with and typically control using apps on our mobile phone devices.
This growing ecosystem of internet-connected products is collectively referred to as the Internet of Things ("IoT"). Whilst IoT technologies have introduced convenience and delivered useful information and control to our finger tips, they also pose complex challenges from a data protection compliance perspective – particularly where they are used in a consumer facing context, in people's homes where they collect lots of personal information about their users, including their habits, lifestyles and routines, and share such personal data with other devices and third parties along convoluted supply chains. This increase in use has highlighted various concerns, even paranoia, that our smart devices are collecting too much information, even potentially spying on us in our own homes! However, there are also more tangible risks associated with personal data breaches relating to IoT products, which can often lead to financial or even physical harms. For example, people can be subject to fraud if their IoT device is hacked, or their home may be burgled if their smart lock’s security is compromised.
Published guidance
In response to these growing concerns, the Information Commissioner’s Office ("ICO") has recently released draft guidance on connected devices, including for manufacturers and developers of smart products (particularly those products that process personal data).
The ICO draft guidance aims to help organisations involved in supplying IoT products, to understand how to meet their obligations under data protection laws (the guidance refers in particular to: manufacturers, developers of operating systems, mobile app developers, web app developers, software developers, AI service providers, providers of biometric technologies, providers of sensors and telemetry, cloud providers, and cybersecurity and IT providers).
The guidance acknowledges that use of personal data purely for domestic purposes falls outside of the GDPR, so the consumers using the IoT products purely for personal or household purposes are simply data subjects (i.e. have no obligations under the UK GDPR), whilst the manufacturers, developers and suppliers etc. of such products will be caught by the UK GDPR.
The guidance encourages organisations to consider the lifecycle of an IoT product in terms of what personal data may be collected about a user at each stage or interaction. It highlights data which is:
- Obtained directly from the user, such as when they give personal information like their name, date of birth, email address, user account information
- Obtained from another source, like a third party (e.g. a social media company or other mobile apps for purposes such as account linking)
- Observed about how the user interacts with the product and any associated services (e.g. an app)
- Collected from the product’s hardware and software, such as sensors, device identifiers, voice and video recordings, images, movements, temperature, location, and
- Inferred about someone, for example, by combining and analysing information you collect from the user, the product or other sources, and by making inferences about their behaviours, characteristics or preferences
There is also the possibility of special category data being collected – whether this is obvious or inferred. For example, a smart watch can collect and reveal various information which can be used to infer aspects of someone's health e.g. relating to health conditions. There are also acknowledged sensitivities around location data – if the app has GPS enabled functionality for instance, and use of children's data. Where such data is collected then additional protections and considerations are needed to ensure compliance is achieved.
The ICO guidance focusses in particular on the Principles under Article 5 of the UK GDPR, and how organisations can achieve compliance with these. Below is a summary of some key aspects of the draft guidance, focussing in particular on certain Principles which in our view, merited attention:
Accountability: The ICO draft guidance emphasises the need to consider data protection compliance from an early design stage and to document that privacy considerations have been taken into account. Examples of how this can be achieved include correctly identifying the role of your organisation (i.e. whether it is a controller or processor, as well as what roles other parties involved in the supply chain will fulfil), conducting a Data Protection Impact Assessment ("DPIA") and maintaining records of processing etc. Following a data protection by design and default approach is therefore key to getting compliance right, from the start -for example incorporating privacy enhancing technologies into the design of the product.
Lawfulness: IoT devices should process personal information in accordance with an identified lawful basis and the relevant data controller should identify this before the devices are placed on the market. Furthermore, the controller must have a valid condition for processing any special category data. The ICO draft guidance states that the most relevant lawful bases are likely to be either consent, contract, legal obligation and legitimate interests. The draft guidance also provides various examples around how valid consent can be obtained as part of the user's interaction with the device.
Fairness: IoT devices should process personal information in a fair manner i.e. in a way that people would reasonably expect and such processing should not have unjustified adverse effects on the individuals. The data controller should consider how personal data is processed in line with accompanying key aspects such as necessity, proportionality and purpose limitation.
The draft guidance states that it is particularly relevant to consider fairness if your IoT product uses AI – e.g. to help you analyse information about people’s interactions with the product and any associated service like an app. This is because AI technologies can be susceptible to bias, which can result in discriminatory outcomes. You must ensure your IoT products perform accurately and produce unbiased, consistent outcomes. Therefore, ensuring that algorithms are sufficiently trained on suitable datasets, and any identified bias addressed, is something that should be addressed at an early stage.
Transparency: Businesses must be clear and transparent about how IoT devices collect, use, and share personal data, and they should provide users with the necessary information to enable them to give informed consent (where this is the lawful basis/processing condition being relied upon). The draft guidance recognises that IoT products can have different interfaces, e.g. screens, voice and sound interfaces, or a mobile app for instance and controllers must should consider the optimum choice of interface in terms of interacting with the user, to provide transparency information and obtain their consent, bearing in mind the different key stages of a user's journey. This could be accessed via the product’s settings or in a privacy dashboard for instance.
Security: IoT devices can be used in a manner which gives rise to a number of high-risk processing activities and therefore must be designed with privacy and security in mind, ensuring that personal data is adequately protected from unauthorised access and other security breaches. These security measures include use of basic measures such as passwords, multifactor authentication and security updates. The draft guidance also acknowledges the increasing role of more sophisticated privacy enhancing technologies and specifically references measures such as zero knowledge proofs, federated learning and homomorphic encryption as being potentially useful in reducing security related risks. Any agreements in place between the relevant parties in a supply chain should define security standards, detail breach notification timelines and responsibilities and specify liability for data breaches and other non-compliance.
AI implications
To the extent that there is any AI integrated into the smart product, then contracts in place e.g. between the manufacturer and supplier, should cover aspects such as explainability (how AI decisions are made and communicated), bias / fairness (any mechanisms to audit and mitigate discriminatory outcomes) and human oversight (how and when human intervention is possible). Whilst the UK has not adopted the EU AI Act, there is a growing recognition (in line with the UK's current more principles-based approach to regulating AI) that contracts relating to AI enabled technologies will increasingly need to include express clauses covering lawful use of AI, including around transparency, fairness, proportionality, non-discrimination etc.. The draft guidance also refers to profiling and automated decision making, in particular Article 22 of the UK GDPR, in the context of an individuals' right not to be subject to solely automated decisions, including profiling, which have a legal or similarly significant effect on them (although we note that Article 22 is set to be amended slightly under the new Data (Use and Access) Act 2025).
Insurance implications
Insurers that underwrite companies developing smart products may increasingly consider a range of factors in light of this draft ICO guidance. For example, a startup develops a fitness tracker that monitors heart rate, sleep and location. Sensitive health data is involved, therefore increasing the risk of GDPR breaches. As such, the insurer may require a DPIA be undertaken before it commits to underwriting the product and should be aware that the company's non-compliance with the ICO guidance could lead to regulatory fines and enforcement actions.
How we can help
DACB recently supported a large corporate client who was procuring an IoT enabled software solution – various sensors and monitors were installed in a building and gathered large amounts of environmental data, including data relating to humidity, light, noise, temperature, movement and consumption of energy and other utilities in the building by tenants.
The sensors did not directly collect much personal data but there was a significant amount of personal data which could be inferred based on the activity of individuals residing in the apartments according to the measurements, including special category data relating to health and even religion potentially, as well as other aspects of their daily routines. Therefore Article 28 compliant data protection clauses were required in the contract between the customer (data controller) and the supplier of the sensors and software solution (processor) and a DPIA was undertaken by the client, to identify and mitigate any privacy related risks.
We have also worked with various health tech suppliers, introducing wearable technology, to track patients' heart rates, blood sugar levels and other vital measurements, to be shared with healthcare providers.
At DACB, our leading data protection team regularly advises clients involved with supplying IoT, on the full range of data protection related compliance aspects, working with clients to understand and navigate the compliance landscape.
If you would like to speak with one of our experts for a free consultation, please contact Chris Air or Charlotte Halford for more information on how we may be able to assist.
